[syslog-ng] Syslog-ng beginners guide

Balazs Scheidler bazsi at balabit.hu
Fri Jul 3 16:02:47 CEST 2009 

On Thu, 2009-07-02 at 17:50 +0300, Cosmin Neagu wrote:
> I have tryed like this:
> 
>     On a remote linux host (Ubuntu 9.04) i have configured syslog-ng
> like this:
> 
> source s_internal {internal();};
> source s_local {
> file ("/proc/kmsg" log_prefix("kernel: "));
> unix-stream ("/dev/log");
> };
> 
> destination d_localfile { file ("/home/cosmin/syslog.log"); };
> destination d_remote {tcp ("192.168.53.248" port(514)); };         //i
> have tried with udp also
> 
> log { source(s_local);          destination(d_localfile); };
> log { source(s_internal);       destination(d_localfile); };
> log { source(s_local);          destination(d_remote);    };
> 
>     On the syslog server (Fedora c10), the configuration is:
> 
> source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); };
>    //i have tried with udp also.
> destination d_localfile {file ("/root/syslog.log"); };
> log {   source (s_remote_tcp);          destination (d_localfile); }; 
> 
>     After a few tests, i have noticed (with the help of wireshark) the
> folowing:
> 1. In UDP case, it sends the logs, i can see the packets arriving on
> the server with tcpdump, but the the server returns an icmp error
> Destination Unreachable, with a code "Host Administrately Prohibited"
> 2. The same thing in TCP case, only that the message is not send, only
> the first syn pachet trying to establish the tcp connection and it
> receives the same icmp error from the server.
> 
> 
> On the server i have fedora core 10, with selinux disabled. No
> firewall at all. Actually i don't know yet how to configure iptables.
> 
> I have noticed that on the server, if i try to define a source like
> this:
> source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); };
> it will give an error:
> Starting syslog-ng: Error binding socket;
> addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested
> address (99)'
> Error initializing source driver; source='s_remote_tcp'
> 
> Pls, can someone help me with this problem? I dont know what could be
> blocking the packets, if it is because of the OS or because of
> syslog-ng configuration.

ICMP admin prohibited is probably generated by the packet filter. It
cannot be generated by an application (unless it'd be injecting ICMP
packets of its own, which syslog-ng doesn't do).

Also, I wanted to point out that starting with 2.1, syslog-ng has its
own SQL destination, no need to mess with named pipes. But if you decide
to use a newer version, I would recommend 3.0.3, the current stable
version.

-- 
Bazsi

More information about the syslog-ng mailing list